My husband Chris is smartest person I know. He is studying right now to take some “IT” test and it is he keeps asking me practice questions to see if I can help him with the answer. Ha! My knowledge is a bit limited on the subject compared to him. He works at Google as an IT auditor and he is always preaching to me about password protection. I asked him to write a little guest post about it, what a nice husband! Anyway, it might not be the most thrilling blog post you have ever read on my blog but it is informative and helpful.
Web Information Security – Is your password Secret?
Websites today employ several methods of ensuring your information is protected. Most notably, everyone is familiar with the username and password concept. Passwords are designed to restrict access to a user account through a secret (the password) which is known only by the holder of the account. Passwords today suffer from multiple weakness points both social and systematic. Lets look at a few of those weaknesses and how your information online may be vulnerable.
Overly aggressive password requirements
I used to work for a company which mandated passwords adhere to exactly 7 characters long, must not contain any dictionary word, must have characters which can’t be N characters between, etc. etc. Well, the only thing it did was make everyone reuse the same basic password and jitter one number or character every time. These also tend to make you need to write down your password on a piece of paper. How much do you trust the person next to you or the janitor or cleaning crew to not pick up the piece of paper?
No password requirements
How many of you have changed your gmail or yahoo or hotmail accounts since the 7 years ago when you created them? No password restrictions were in place then and you are still relying on your hellomom password. Today, these accounts are granting access to huge swaths of services and information that didn’t exist 7 years ago. My original gmail account used to just give me gmail access. Now this same account gives me Checkout access, Google Docs, Google Apps, Picasa, Blogger, etc. Similarly, that hotmail account now gives me Windows Live, Xbox, Office Live, etc. Increasingly, 3rd party websites can ask me to log into my gmail credentials and use that to verify my identity on the service. You get the drift (and change your old passwords!).
Computers are faster
Passwords are inherently easier to crack given today’s computing speeds. Even passwords which are made up of the first letter of each word in phrases can be deciphered using common phrases.
Traditionally, websites have offered protection to web users through use of secure SSL-protected websites identified with the url starting with “https://”. Use of such will encrypt the data in transit from your computer to the server of the service or website you are using. You should always be using websites which are using SSL when doing anything with sensitive data (logins, purchases, CC mgmt, etc.). Even so, use of SSL does not give you any protection against your password being stolen.
How can you protect yourself? Two-Factor to the rescue
For any sensitive websites — banks, investment accounts, email (?), etc — make sure you enroll and take advantage of an enhanced security method known as Two-Factor
. Two-Factor means that in addition to your password, you also have something that is physically (or uniquely) identifiable to only you. Using Two-Factor, you can more effectively combat weak passwords. Here’s how it works for a common scheme:
I have a username and password associated to my account. I also have in my physical possession, a device which generates random codes for me. Only the device and the server know what the code is at any given time. When I log into a system, I must have my username along with my 2 pieces which are known to me — my password and my current random code. If someone has my password, they still can’t login because they don’t have possession of the randomly generated digits.
Other methods of implementing Two-Factor involve use of SMS messages which send the code to your phone or you may have an application installed on your phone which generates these random codes. More exotic methods may be the use of a bio-metric scan such as a finger swipe on your laptop in addition to your password.
Many banking websites may also employ a scheme of asking you questions only you would know the answer to (such as off a credit report or questions you had to answer when you created the account). These questions are designed to challenge the user to identify information that any plain jane with the password would not be able to identify. When the website detects a user logging in and the computer is unknown to the website (e.g. you haven’t used it before with your account), then the questions are presented to the user and the user must answer correctly before being logged in. A good challenge question should be something factual and non-subjective. Don’t use “What is my favorite flavor of gum” because your answer to this could change over time. Instead, try something factual like “What was the name of your first pet.”
Thanks Chris for guest posting! I hope you found this helpful, please comment on the post with question or comments so Chris will want to post again! Ha!